David García Aug 16, 2021 3 min read

Medusa Banking Trojan exploits several Social Networks to communicate with Control Server

Medusa is a banking trojan that started out in July 2020. During the summer of that year, new campaigns from this family were detected, although new samples were no longer seen after September. 

However, since May 2021, several new samples of this family have been detected that maintain the main functionality of the trojan, but that reactivate its activity.

Medusa is another banking trojan for Android devices. It doesn't present any new developments with respect to the rest of the known families, such as Cerberus or Flubot.

However, it will be important to closely monitor the evolution of this family, since in the future it could introduce important developments that improve the theft of credentials and private information from its victims.

Like most Android banking trojans, Medusa tries to get as much data as possible from the infected device, in addition to banking credentials. The theft of text messages helps attackers to carry out fraud after the theft of credentials, while the theft of the contact list enables distribution in new campaigns through spam.

Medusa takes advantage of several social networks such as Telegram, ICQ or Twitter to store the address of the control server to which the trojan must connect.

In this way, the attacker can update the control server without any major difficulties, since the trojan will consult the new address by accessing the different social network profiles included in the sample code. This also is nothing new, as Anubis Bankbot has already been using this system for quite some time.

For the time being, only Turkish banking entities have been observed among those that are affected, although the attackers behind this malware could begin to include new entities in search of an expansion to new countries.

Download the full report here.


David García

In his more than 9-year professional career, he has been involved in multiple projects, the most important being in the fields of managed security, anti-fraud and ethical hacking services, and malware analysis. He has contributed his know-how and security-related improvements to a wide variety of fraud and vulnerability analysis products. He currently oversees the smooth running of our different products and researches current fraud developments in order to showcase buguroo overseas as well as providing the development department with feedback on the latest malware and cybercriminal trends.